Document toolboxDocument toolbox

Office 365 collector

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
2 min read
[ 1 Generate credentials in Azure AD ] [ 2 Choose data types ] [ 3 Minimum configuration required for basic pulling ] [ 4 Launching collectors ]

Generate credentials in Azure AD

  1. Begin by creating and registering your application within Azure AD. Give it a name of your choice to identify it, such as devo-integration. The Redirect URI field may be left blank. Make note of the application's Client Id as well as the Tenant Id. Learn more here.

  2. Move to the API Permissions section on the left menu, then click Add a permission in the main pane. Find the Office 365 Management APIs section and click on it.

  3. Then click Application permissions, and enable the appropriate permissions, at least the two under ActivityFeed. Click Add permissions.

  4. Once you have added the permissions you need to grant admin consent to the application, you should see a message confirming Successfully granted admin consent for the requested permissions. Learn more here.

    The permissions that need to be set are as follows:

    • Read activity data from your organization

    • Read service health information from your organization

    • Read DLP policy events including detected sensitive data (only if pulling “DLP.All” from Management Activity)

  5. Generate a new key (also called client secret value in the application) and copy/record it for later use. This is done in the left-hand menu under Certificates & secrets and can be done by clicking New client secret. Learn more here.

Azure only displays the client secret value at the time you initially generate it. You cannot navigate back to this page and retrieve the client secret value later. 

Choose data types

The Office 365 Collector collects Management Activity. See more details below:

Management Activity

This data type collects actions and events from The Office 365 Management Activity API. The content types available are:

  • Audit.AzureActiveDirectory

  • Audit.Exchange

  • Audit.SharePoint

  • Audit.General

  • DLP.All

More details on the Office 365 Management Activity API can be found here.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

"credentials": { "tenant_id": "<tenant_id_value>", "client_id": "<client_id_value>", "client_secret": "<client_secret_value>" }

Sometimes you will find the client_id as Application (client) ID.

Launching collectors

Fully managed solution

To deploy the Office 365 Collector in the Devo-managed Collector Server, please contact your account representative and/or the Professional Services team, and provide the configuration for your data type(s) as specified above. This final configuration will need a tenant id, a client id, a client secret, and a list of the content types you would like to pull.